Google Chrome Dawn Out-of-Bounds Memory Access Vulnerability on Mac

A high-severity vulnerability in the Dawn implementation of Google Chrome on Mac, prior to version 130.0.6723.92, allows remote attackers to execute out-of-bounds memory access via a specially crafted HTML page. This issue arises from improper handling of side-effect-free infinite loops in WebGPU shaders, which can be exploited to read from and write to arbitrary memory locations on the GPU.

Impact

Exploitation of this vulnerability leads to out-of-bounds memory access on the GPU, allowing for unauthorized reading from and writing to memory buffers, which could potentially be used to manipulate program behavior or cause a crash.

Reproduction

The vulnerability can be reproduced by creating a WebGPU compute shader that exploits the undefined behavior of a side-effect-free infinite loop. The loop can be crafted to bypass out-of-bounds checks, allowing the shader to read from and write to unauthorized memory buffers. This can be done by injecting a condition that tricks the Metal compiler into believing the loop will terminate, while it actually executes indefinitely, thereby enabling the out-of-bounds access.

Remediation

Users can update to Google Chrome version 130.0.6723.92 or later to address this vulnerability.